What should a firm do after it discovers that a customer’s account has been compromised?

Below is a checklist of some steps that a firm may need to take if it learns that an unauthorized person may have gained entry to a customer’s brokerage account. This checklist is not exhaustive, and a firm may need to take other steps depending on the nature or cause of the intrusion, the firm’s business model, the firm’s customer base, shifting security threats, and changes in law.

Monitor, limit, or temporarily suspend activity in the account until the situation is resolved.

Alert others in the firm (including the firm’s Legal and Compliance Department, if applicable) to be mindful of unusual activity in other customer accounts. Firms may want to consider designating in advance a specific individual or department to serve as a central contact for questions about account intrusion.

Identify, if possible, the root cause of the account intrusion (e.g., the firm’s system was compromised, the individual account was hacked, the customer was the victim of identity theft) and determine whether the intrusion is isolated to one account.

If the firm is not self-clearing, notify its clearing firm of the situation.

Contact the SEC and your FINRA Coordinator. In the event of an account intrusion, have the following information readily available if possible:

Firm information (both the introducing and clearing firms involved)

Firm name and CRD number

Firm contact name and telephone number

Date(s) and time(s) of activity

IP addresses used to access the account

Security or securities involved (name and symbol)

Time and date of the activity

Details of the trades or unexecuted orders

Details concerning any wire transfer activity

Customer account affected by the activity, including name and account number

Determine whether any unauthorized person has gained or potentially has gained access to an account holder’s personally identifiable information and, if so, whether the firm must provide a specific type of notification to the customer or others under state law regarding the loss of the customer’s information. Some states may require notice to the State Attorney General or other state law enforcement agencies in addition to customer notification.